CVE-2024-35783

Summary

A vulnerability has been identified in SIMATIC BATCH V9.1 (All versions), SIMATIC Information Server 2020 (All versions < V2020 SP2 Update 5), SIMATIC Information Server 2022 (All versions < V2022 SP1 Update 2), SIMATIC PCS 7 V9.1 (All versions < V9.1 SP2 UC06), SIMATIC Process Historian 2020 (All versions < V2020 SP2 Update 5), SIMATIC Process Historian 2022 (All versions < V2022 SP1 Update 2), SIMATIC WinCC Runtime Professional V18 (All versions < V18 Update 5), SIMATIC WinCC Runtime Professional V19 (All versions < V19 Update 3), SIMATIC WinCC V7.4 (All versions), SIMATIC WinCC V7.5 (All versions < V7.5 SP2 Update 18), SIMATIC WinCC V8.0 (All versions < V8.0 Update 5). The affected products run their DB server with elevated privileges which could allow an authenticated attacker to execute arbitrary OS commands with administrative privileges.

Affected Software

VendorProductVersion RangeStatus
SiemensSIMATIC BATCH V9.10 < *affected
SiemensSIMATIC Information Server 20200 < V2020 SP2 Update 5affected
SiemensSIMATIC Information Server 20220 < V2022 SP1 Update 2affected
SiemensSIMATIC PCS 7 V9.10 < V9.1 SP2 UC06affected
SiemensSIMATIC Process Historian 20200 < V2020 SP2 Update 5affected
SiemensSIMATIC Process Historian 20220 < V2022 SP1 Update 2affected
SiemensSIMATIC WinCC Runtime Professional V180 < V18 Update 5affected
SiemensSIMATIC WinCC Runtime Professional V190 < V19 Update 3affected
SiemensSIMATIC WinCC V7.40 < *affected
SiemensSIMATIC WinCC V7.50 < V7.5 SP2 Update 18affected
SiemensSIMATIC WinCC V8.00 < V8.0 Update 5affected

Weaknesses

  • CWE-250: CWE-250: Execution with Unnecessary Privileges

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References